On 10.08.2017 23:12, g...@gregj.me wrote:
> Ok I think this is onto something. I changed 
>
> <LimitExcept MERGE> to <LimitExcept GET> and the commit worked.  When I 
> removed the LIMITEXCEPT completely it didn't even request my password (and 
> failed).
>
> I'll have our tester test it with that tonight if possible.
>
> Thank You!
>
> Question: What *should* be specified?

If you want all access to be authenticated, you do not need a <Limit> or
<LimitExcept> clause; just the "Require valid-user".

You'd use Limit(Except) in order to impose read-only and read-write
distinction in the request level, before mod_authz_svn kicks in. Here's
an example, the config I use at $DAYJOB for httpd 2.4.x:

        <RequireAll>
            Require valid-user
            <Limit HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                    Require ldap-group 
cn=dev.readonly,ou=group,dc=example,dc=com
                    # More reader groups here  
                </RequireAny>
            </Limit>
            <LimitExcept HEAD GET OPTIONS PROPFIND REPORT>
                <RequireAny>
                    Require ldap-group cn=dev,ou=group,dc=example,dc=com
                    # More writer groups here
                </RequireAny>                   
            </LimitExcept>
        </RequireAll>


I have LDAP authentication set up, and group assignments in LDAP to
distinguish between users with only read access and users with
read/write access. Notice how I use Limit and LimitExcept so that the
list of request methods is the same in both clauses, makes it easy to
check the config by eye and I only have to remember what the "read
access" methods are. :)


-- Brane

Reply via email to